It happens that incorrect checksums are being committed or that upstream changes tarballs without changing the filename. In both cases, OE will bail out and complain about a mismatch in checksums (unless OE_ALLOW_INSECURE_DOWNLOADS is enabled). Here are the steps a developer should take to resolve the issue safely.

Look through "mtn --diffs --no-merges log conf/checksums.ini| less" and find the person who committed the current md5sum.

Contact them and ask them to md5sum their copy again. Compare results if they still have the original tar file against which the original checksum was generated.

Then we have three possible scenarios.

the original committer does not have the original file anymore or is unsure about its integrity. In that case, please write to openembedded-devel@lists.linuxtogo.org. Don't do anything further.

the original committer generates the same md5sum as you, indicating an error in the original commit. In this case we can safely commit the update. Indicate in your commit message that yours and the other person's md5sum matched

the numbers don't match. Then we need to consult upstream and ask if they changed the tarball. Sadly this is something that commonly happens. After confirmation from upstream we can update checksums.ini.